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Amendments to the Claims 

1 Claim I (currently amended): A computer program product for providing fine-grained, 

2 identity-based acc^s control in a computer networfciji® environment, the computer program 

3 product embodied on one or more computer-readable media and comprising: 

4 computer-readable program code means for establishing a first security association 

5 between a first host and a boundary device, wherein the first security association uses strong 

6 cryptographic techniques; 

7 computer-readable program code means for establishing a second security association 

8 between a second host and the boundary device, wherein the second security association uses 

9 strong cryptographic techniques; 

1 0 computer-readable program code means for providing secure communications between a 

1 1 security enforcement function in the boundary device and an access control function; 

12 computer-readable program code means for extracting^ by the security enforcement 

1 3 flinction^ a first authenticated identity associated with the first host during operation of the 

1 4 computer-readable program code means for establishing the first security association; 

15 computer-readable pragram code means for extracting, by the security enforcement 

1 6 function, a second afuthenticated identity associated with the second host during operation of the 

17 computer-readable program means for establishing the second security association; 

1 8 computer-readable program code means for providing the extracted fbrst authenticated 

1 9 identity and the extracted second authenticated identity, by the security enforcement function, to 
2 0 the access control function; ag^ 

2 1 computer-readable program code means for determining access privileges of the first host 
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22 and the second host, by the access control iEixnction, based upon the provided extracted identities. 

1 Claum 2 (original): The computer program product acceding to Claim 1 , wherein the strong 

2 cryptographic techniques used for the first security association and the second security 

3 association are provided by protocols known as Internet Key Exchange and IP (Intemet Protocol) 

4 Security Protocol. 

~{ 

1 Claim 3 (currently amended): The computer program product according to Claim 1 , further 

2 comprising: 

3 computer-readable program code means for securely making the determined access 

4 privileges available to the security enforcement function; and 

5 computer-readable program code means for i^ing title made-available access privileges to 

6 determine whether to forward a packet flowing between the first host at)d the second host using 

7 the first and second security associatioDS or to discard the packet. 



1 Claim 4 (currently amended): The computer program product according to Claim J , further 

2 comprising: 

3 computer-readable program code means for securely communicating packet-handling 

4 directives from the access control function to tiie security enforcement function, based upon the 

5 detemained access privileges; and 

6 computer-readable program code means for xising the communicated packet-handling 

7 directives to determine ^Jrtietber to forward a packet flowing between the first host and the second 
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8 host using the fifst and second s^iirity as^ciations or to discard tiie packet. 

9 Claim 5 (original): The computer progrmi product according to Claim 1 , \^erein the 

1 0 computer-readable program code means for providing secure communications fuitfaer comprises 

1 1 computa^-Tcadable program code means for establishing a secure channel between the security 

12 enforcOTient function and the access control function. 

1 Claim 6 (original): The computer iHOgram product according to Claim 1, wherein the fir^ 

2 security association specifies only coarse-grained access control information. 

1 Claim 7 (original): The computer program product according to Claim 1 > wherein the first 

2 authenticated identity associated with the first host is an identification of a user of the first host. 

1 Claim 8 (original): The computer program product according to Claim 1 , wherein the first 

2 authenticated identity associated with the first host is an identification of an application 

3 executing on the first host. 

1 Claim 9 (original): The computer program pmduct according to Claim 1, wherein the second 

2 security association specifies only coarse-grained access control nifomiation. 

1 Claim 10 (original): The computer program product according to Claim 1, wherein the second 

2 authenticated identity associated with the second host is an identification of a user of the second 

3 host 
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1 Claim 1 1 (original): The computer program product according to Claim 1 , wherein the second 

2 authenticated identity associated with the second host is an identification of an application 

3 executing on the second host. 

1 Claim 12 (original): A system for providing fine-grained, identity-based access control in a 

2 computer networking environment, comprising: 

3 means for establishing a first security association between a first host and a boundary 

4 device, wherein the first security association uses strong cryptographic techniques; 

5 means for establishing a second security association between a second host and the 

6 boundary device, wherein the second security association uses strong cryptographic techniques; 

7 means for providing secure communications between a security enforcement fimction and 

8 an access control fhnction; 

9 means for e>ctractii^, by the security enforconent function, a first authenticated identity 

1 0 associated with the first host during operation of Hie means for establishing the first security 

11 association; 

1 2 means for extracting, by the security enforcement fimction, a second autii^ticated 

1 3 identity associated with the second host during operation of the m^s for establishing the second 

1 4 security a^ociafion; 

1 5 means for providing the extracted first authenticated identity and the extracted second 

1 6 authenticated identity, by the security enforcement function, to tite access control fimction; and 

1 7 means for determining access privileges of the first host and the second host, by the 
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18 access control function, based upon the provided extracted identities. 

1 Claim 13 (original): The system accoiding to Claim 12, wherein the strong cryptographic 

2 techniques used for the first purity association and the second seciirity assodation are provided 

3 by protocols known as Internet Key Exchange and IP (Internet Protocol) Security Protocol, 

1 Claim 14 (cuirentiy amended): The system according to Claim 1 2, further comprising: 

2 means for securely making the determined access privileges available to the security 

3 enforcement fiinction; and 

4 means for using the made-available access privileges to detennine whether to forward a 

5 packet flowing between the first host and the second host using the first and second securitv 

6 assQciatinna or to discard the packet. 

1 Claim 15 (currently amended): The system according to Claim 12, further comprising: 

2 means for securely commuiucating packet-handling directives from the access control 

3 function to the security enforcement function^ based upon the determined access privileges; and 

4 means for using the cornmunicated packet-handling directives to determi 

5 forward a packet flowing between the first tost and the second host using the first and second 

6 securitv associations or to discard the packet. 

1 Claim 16 (original): The system accordii^ to Claim 1 2, whwin the security enforcement 

2 function operates in the boundary device, and wherein the means for providing secure 
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3 commuDications further comprises means for establishing a secure channel between the security 

4 enforcement function and the access control function. 

1 Claim 1 7 (original): The system according to Claim 12, wherein the security enforcement 

2 function operates in the first host and in the second host, and wherein the means for providing 

3 secure communications further comprises means for estabUshing secure channels between the 

4 security enforcement function in the first and second hosts and the access control function. 

1 Clann 18 (original): The system according to Claim 12, wherein the first authenticated identity 

2 associated with the first host is an identification of a user of the first host and/or an application 

3 executing on the first host. 

1 Claim 19 (original): The system according to Claun 12, wherein the second authenticated 

2 identity associated with the second ho$t is an identification of a user of the second host and/or an 

3 application executing on the second host 

1 Claim 20 (original): A method for providing fine-grained* identity-based access control in a 

2 contputer networking envimnment, comprising steps of: 

3 establishing a first security association between a first host and a boundary device, 

4 v^erein the first security association uses strong ciyptographic techniques; 

5 establishing a second security association between a second host and the boundary device, 

6 wherein the second seciuity association uses strong cryptographic techniques; 
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7 providing secure communications between a security enforcement function and an access 

8 control function; 

9 extracting, by the security enforcement function, a fibrst authenticated identity associated 

1 0 with the first host during operation of the step of establishing the first security association; 

1 1 extracting, by the security enforcement function, a second authetiticated identity 

1 2 associated with the second host during operaticMi of the step of cstablishir^ the second security 

13 association; 

1 4 providing the extracted first authenticated identity and the extracted second authenticated 

15 identity, by the security enforcement function, to the access control function; and 

16 : determining access privileges of the first host and the second host, by the access control 

1 7 fiinction, based upon the provided extracted identities. 



1 Claim 21 (original): The method according to Claim 20, wherein the strong cryptographic 

2 techniques used for the first security association and the second security association are iMovided 

3 by protocols known as Internet Key Exchange and IP (Internet Protocol) Security Protocol 

1 Claim 22 (currentiy amended): The method according to Claim 20» further comprisijog steps of: 

2 securely making the determined access privileges available to the security enforcement 

3 function; and 

4 tising tbe made-available access privileges to determiiK whether to forward a packet 

5 flowng between the first host and the second host using the first and second security associations 

6 or to discard the packet. 
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1 Claim 23 (currently amended): The merthod accoixUng to Claim 20, further comprising steps of: 

2 secitrcly commnnicatitxg packet-handling dirartivcs from the access control function to 

3 the security enforcement function, based upon die determined access privileges; and 

4 using the communicated packet-handling directives to determine whether to forward a 

5 packet flowing between the first host and the second host using the first and second security 

6 assQciatjons or to discard the packet 

1 Claim 24 (original): The method according to Claim 20, wherein the security enforcement 

2 J^mction operates in the boundary device, and wherein the step of prov^^ 

3 communications further comprises the step of establishing a secure channel between the security 

4 enforcement function and the access control function. 

1 Claim 25 (original): The method according to Claim 20, wherein the i^iutity enforcement 

2 function operates in the first host and in the second host, and wherein tibie step of providing 

3 secure communications further comprises the step of establishing secure channels between die 

4 security enforcement {unction in the first and second hosts and the access control fimction. 

1 Claim 26 (original): The method according to Claim 20, wherein the first authenticated identity 

2 associated with the first host is an identification of a user of the first host and/or an application 

3 executing on the first host. 
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1 Claiin 27 (original): The method according to Claim 20, wherein the second autheirticatfid 

2 identity associated with the second host is an identification of a xiser of the second host and/or an 

3 application executing on the second host. 

1 Claim 28 (currently amended): A method for providing fine-grained, identity-based access 

2 contn^l in a computer networidng environment, comprisii]^ steps of: 

3 establishing a fim security association between a &rat host and a first boundary device 

4 using strong cryptographic techniques; 

5 establishing a second security association between a second host and a second boundary 

6 device using strong cryptographic techniques; 

7 esiablishmg a third security association between the first boimdarv device and the second 

8 boundary device using strong crv ptopraphtc techniques: 

9 providing secure communications between a first security enforcem^t fimction operating 

10 in the first HmiTiHary deyit;^ and sn access control fimction: 

11 providing secure commimications between a second security enforcement function 

12 operating in the second boundary device and the access control fimction; 

1 3 extracting, by the first security enforcement fimction, a first authenticated identity 

1 4 associated with the first host during operation of the step of establishing the ftfst security 

15 association; 

1 6 extracting, by the %cond security enforcement fimction, a second authenticated identity 

1 7 associated with the second host during operation of the step of establishing the second security 

1 8 association; 
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1 9 providing the ejctracted first authenticated idemity and the extracted second authenticated 

2 0 identity, by the first and second sectirity enforcement functions, to the access control function 

2 1 over the secure communications : and 

22 detennining access privileges of the first host and the second host, by the access control 
2 3 function, based upon the provided extracted ideirtities- 

1 Claim 29 (original): The method according to Claim 28, wherein the strong cryptographic 

2 techniques used fbt the first security association and the second security associarion are provided 

3 by protocols known as Internet Key Exchange and TP (Internet Protocol) Security Protocol 

1 Claim 30 (cunrently amended): The method according to Claim 28, fiirther comprising steps of: 

2 securely making the determined access privileges of the first host and second host 

3 available to the first and second security enforcement function functions, respectivelv : and 

4 using the made-available access privileges to determine whether to forward a packet 

5 flowing between the first host and the second host uj^tng first, second, and third security 

6 associations or to discard the packet. 



1 Claim 31 (currratly amended): The method according to Claim 28, fiirther comprising steps of: 

2 securely communicating packet-handling directives from the access control function to 

3 the first and second security enfcircemen t f uncti o n functions, based upon the determined access 

4 privileges; and 

5 using the communicated packet-handliag directives to determine whether to forward a 
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6 packet flowing between the first host and the second host or to discatd the packet 
Claim 32 (canceled) 

1 Claim 33 (cunenUy amended): The method according to Claim 28, wliLicma>c fiiAl^uiity 

2 cufoiccmcjil fuiicLl u ii upcratca in the fii&L hu5l Mxi Art second Aecmi t y cnfuicuu^uvt ftmc t i o n 

3 up e i ' Ates in the sccot i d h o st, and wherein: 

4 the step of providing secure communications between the fi tsrt security enforcement 

5 function and the access control function further comprises the step of establishing a first secure 

6 channel between the first security enforcement function and the access control function; and 

7 the step of providing secure communications between the second security enforcement 

8 fimction and the access control function further comprises the step of establishing a second 

9 secure channel between the second security enforcement function and the access control fimction. 

1 Claim 34 (original): The method according to Claim 28, wherein the fitst authenticated identity 

2 associated with the first host is an identification of a user of the first host and/or an application 

3 executing on the first host. 

1 Claim 35 (original): The method according to Claim 28, wh^n the second authenticated 

2 identity associated with the second host is an identification of a user of the second host and/or an 

3 application executing on the second host. 
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1 Claim 36 (currently amended): A method for providing fine-grained, id^tity-based access 

2 control in a computer networking ©civironment, comprising steps of: 

3 establishing a mutually-axithenticated connection between a first sad device and a second 

4 sod de\dce using strong cryptographic techniques , wherein the mutuallv -authenticated coime.ctl<m 

5 comprises q first mutually-authenticated network seemro t between the first end device and a 

6 boundary device provid tn p netwnrk-laver protection and a second mutuallv-autfaenticatgd 

7 network segment between the second end device and th e boundary device; 

8 extracting a first authenticated identity associated with the fu^ ged device and a second 

9 authenticated identity associated with the second-te^st end device during the step of establishing 

10 the mutually-authenticated cormection; 

1 1 providing secure communications between a security enforcement fimction operating in 

12 the boundary device and an access control function; 

1 3 providing the extracted first and second authenticated identities, by the security 

14 ^iforcement fimction, to the access control function; 

1 5 determining access pri vileges of the first end device and the second end device, by the 

16 access control function^ based upon the provided extracted iderrtities;'^^ 

17 securely communicating packet-handling directives fi-om the access control function to 

18 the security enforcement function, based upon the determined access privilege s: and 

19 using the packet jbtandlin^ directives, bv the ^uritv enforcCTient function, to jetermine. 

20 wiiethcrto forward packets seiit by the first end device ^on the first^ segment tp the 

21 second end device_ojnLthe_STCmdjaetwoTksegmgftf 
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1 aaim 37 (added): The method according to Claim 28, wherein the first security enforcement 

2 fimction operaifis in the first host instead of in the first houndaiy device and the second secmrty 

3 enforcement fraction operates in the second host instead of in the second boxmdaty de>dce. 
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